Principles for the Processing of Personal Data under the GDPR

The principles are set in article 5 of the GDPR and enshrined thorough all the Regulation, and they apply to every personal data processing activity. As the cornerstone of the Regulation, they should be kept in mind when interpreting the rights and duties established in the GDPR.

Lawfully refers to the duty to process personal data only when there is an appropriate legal basis or legislative measure under the GDPR, EU, or Member State Law. Strictly speaking only when you count with legitimate grounds to process personal data, e.g., explicit consent, you can collect and carry out the processing activities.

In that sense, situations, where the collection of personal data has been done by a non-authorised access, would be unlawful and therefore contrary to this principle.

Fairly, requires providing sufficient information to the data subject to make the processing fair and transparent. In particular, the data subject needs to be informed of the existence of the processing activities and its purposes at the moment of collection. The information shall include all necessary details to ensure fairness and transparent processing, taking into account the specific circumstances and context in which the personal data is processed.

If it is the case, the data subject should be informed of the existence of profiling and consequences and any legal obligation on the data subject to provide with him/her personal data and its consequences if he or she does not do so.

Relevant references: Article 5 and 6 / Recitals: 39, 45, 60 and 71

Transparent, refer to the responsibility to ensure that any information or communication to the data subject shall be concise, easily accessible and easy to understand – clear and plain language; especially when is addressed to a child.

Furthermore, to ensure a fair and transparent processing, this duty concerns the information that should be accessible to the data subject. By rule, all natural persons should be made aware of risk, rules, safeguards, and rights concerning the processing of him/her personal data and how to exercise their rights to such activities.

personal data may only be collected for specified (defined), explicit (clear) and legitimate purposes (legal basis) determined at the moment of collection. Undefined and/or unlimited purposes is unlawful;

personal data must only be processed in a manner compatible with those purposes. Otherwise, it is required a new and separate legal basis.

Now, there are two specific exemptions to this principle:

89(1) processing for archiving, scientific, historical or statistical purposesas far as appropriate technological and organizational measures are in place to protect the rights and freedoms of the data subjects, in particular, the principle of data minimisation.

6(4) processing for another purpose compatible with the purpose for which the personal data are initially collected. To assess the compatibility the following points should be considered: (i) the fair processing information the controller initially provided to the data subject; (ii) the relationship between the purposes for which the data have been collected and the purposes of further processing; (iii) the context in which the data were collected and the reasonable expectations of the data subjects as to their further use; (iv) the nature of the data and the impact of the further processing on the data subjects; and (v) the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.

Relevant references: Article 5 and 6 / Recitals 39, 45 and 50

Data Minimisation

This principle refers to the duty to process personal data only when it is adequate (appropriate), relevant (pertinent) and limited to what is necessary for the purposes for which they are processed (not excessive).

To limit the storage of the personal data to a strict minimum, there is a need to establish time limits to delete data or to have periodic reviews to assess what should be erased. Also, to respect data minimisation an assessment should be made regarding the need to process personal data since if there is another reasonable privacy-friendly solution that can fulfill the purposes, the personal data shouldn’t be handled.

Relevant references: Article 5 and 25 / Recitals 39 and 156

Accuracy

This principle imposes the responsibility to take every reasonable step to ensure that personal data are accurate and up to date concerning the specific purposes for which they are processed. Inaccurate data shall be erased or rectified without delay.

Attention should be given to the word “reasonable”, the steps required shouldn’t be something that would involve a disproportionate effort.

Relevant references: Articles 5 and 18 / Recital 39

Storage Limitation

This principle refers to the obligation to keep the personal data as far as necessary to identify the data subjects for the purposes established. In that sense, the data retention has to be set in a way that personal data is erased when the purposes have been served.

Now, there is one specific exemption to this principle:

89(1) processing for archiving, scientific, historical or statistical purposes as far as appropriate technological and organizational measures are in place to protect the rights and freedoms of the data subjects, in particular, the principle of data minimisation.

Relevant references: Articles 5, 6, 23 and 25 / Recital 39 and 45

Integrity and Confidentiality

This principle establishes the duty to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Relevant references: Articles 5 and 32 / Recital 74 to 84, 94 and 95.

Accountability

This principle states the obligation to comply with the principles and to be able to demonstrate that processing is performed in accordance with them.

Relevant references: Articles 5 and 24

Final Notes:

The obligation to comply with the principles rely on the Data Controller(s). However, the Data Processor(s) shall observe them and act accordingly – keep in mind the Data Processor’s obligation under article 28 (3)(h) GDPR.

Union or Member State Law may restrict by way of legislative measure the scope of article 5 as long as its provisions correspond to the rights and obligations provided in articles 12 to 22, and such restrictions respect the essence of the fundamental rights and freedoms and is necessary and proportionate measure in a democratic society to safeguard: national security, defence, public security, etc. For full details see recital 50 and article 23 of the GDPR.

It’s no secret that we might find regulatory gaps because of the technological developments. Keep pace with the times is not an easy task, but I trust our authorities would provide with more light regarding the many interfaces that are between law, regulation, and technology.

The lawinfographic of this article aims to provide a clear overview of the principles set in the GDPR for the processing of personal data; this should help all the actors processing personal data to review and align all its processing activities to these principles and documented as part of the accountability principle.

Each lawinfographic has a visual presentation and keywords that will allow comprehending at a glance the main topic. The articles may contain several examples and/or references from the EU law, regulations, guidelines and opinions on the matter. If you require more information, do not hesitate to consult the lawinfographic’s sources below or reach me on Linkedin.